Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Monday, August 6, 2012

A Little Bash Helps Check Those Packet Captures

If you've just started out in network security and are new to Linux as well, you might not yet be familiar with the built-in scripting support in the Linux shell. It's very useful for all sorts of tasks, and that includes going through a directory recursively and taking some action on each file.
Let's say you have a directory of packet captures from some sniffer you're running, and you need to check to see if there are any packets with a particular IP address. You can do this easily with a small bash script using the "for" loop.
Change to the packet capture directory and run this command:

for i in $( ls ); tcpdump -nn -r $i 'host 10.10.1.1';done

The for loop will read in the output of the ls command and populate the variable $i with the first file name which tcpdump will use, and proceed with the next file through each iteration. You can put this in a script file, though for simple scripts like this it may be better just to use it from the command line. That way you can add as much to tcpdump to narrow or expand your search. What if you wanted to see all packets from all capture files that have both the SYN and FIN flags set? (bad traffic for certain)

for i in $( ls );do tcpdump -nn -r $i 'tcp[13] & 0x03 = 3';done

This is the simplest of uses of bash scripting, which is a powerful tool. There are many sites that will give you a step by step tutorial on using bash scripting (and the scripting built into other shells, like csh, if you're not a bash user).